Customs-Trade Partnership Against Terrorism (C-TPAT)

The Customs-Trade Partnership Against Terrorism (C-TPAT) is a voluntary supply-chain security program led by U.S. Customs and Border Protection (CBP) focused on improving the security of private companies' supply chains with respect to terrorism.

Importers must conduct a comprehensive assessment of their international supply chains based upon the following C-TPAT security criteria.

Where an importer outsources or contracts elements of their supply chain, such as a foreign facility, conveyance, domestic warehouse, or other elements, the importer must work with these business partners to ensure that pertinent security measures are in place and adhered to throughout their supply chain. The supply chain for C-TPAT purposes is defined from point of origin (manufacturer/supplier/vendor) through to point of distribution – and recognizes the diverse business models C-TPAT members employ.

C-TPAT recognizes the complexity of international supply chains and endorses the application and implementation of security measures based upon risk analysis. Therefore, the program allows for flexibility and the customization of security plans based on the member’s business model.

Appropriate security measures, as listed throughout this document, must be implemented and maintained throughout the importer’s supply chains - based on risk.

This Statement details how specific features in your WhosOnLocation can assist you to align with theC-TPAT Security Criteria. We illustrate this in Table 1 below.

Role

C-TPAT Criteria

How WhosOnLocation Supports the Criteria

Physical Access Controls

Access controls prevent unauthorized entry to facilities, maintain control of employees and visitors, and protect company assets.

WhosOnLocation provides a wide range of tools to support the management of authorized entry to facilities:

Your facility’s gatekeepers (security, concierge, and receptionists) have full visibility of all authorized people (visitors, vendors, suppliers, and employees). They can sign them in, capturing proof of identification and other facility centric information from them, creating an audit trail of all entries.

With the location settings administrators can define occupancy hours, and setup alerts for entry outside of specific times.

Users can setup Watchlists or send entry data to external Watchlists. When a match is found you can have the system automatically create warnings for any team member to act upon.

Administrators can set rules in your WhosOnLocation account which requires employees to pre-register visitors. Any person looking to sign-in to a facility without having being pre-authorized through the pre-registration process is denied access.

Use 'Answer Share' to share the visitor's name, organization, phone, email, photo etc… with their employee host upon sign-in.

Administrators can also set rules that require the host to authorize the visitor before entry is approved. We refer to this as Host Authorization.

Access controls must include the positive identification of all employees, visitors, and vendors at all points of entry.

Security guards, concierge, and/or receptionists can capture personally identifiable information from any person as a condition of entry. This can include:

Name

Organization

Phone

Mobile | Cell

Email

Photo

Identification Type

Identification reference

*coming in September 18, Scanned Drivers License

And more…

Vendors, suppliers, contractors and other service providers can be pre-approved in your WhosOnLocation account. On arrival their entry can be denied if their certifications, approvals, and qualifications have expired.

Physical Access Controls | Employees

An employee identification system must be in place for positive identification and access control purposes.

Whilst your WhosOnLocation account stores a current list of approved employees that can be maintain manually by administrators, you can also use our SyncPortal to maintain your employee list with your Active Directory (Active Directory Federation Services (AD FS).

All of the above results in a ‘current’ list of employees, and their profile info (name, department, title, photo, email, phone) being ‘read only’ visible to security, concierge, and reception operators when the respective employee requests entry to a facility.

Employees should only be given access to those secure areas needed for the performance of their duties.

WhosOnLocation can integrate with your access control system. In addition, you can setup zones with a facility and then deploy Inter-Zone kiosks which require employees (as well as vendors and visitors) to sign in to when entering specific zones and areas in your facilities. Their presence is registered and triggers (alerts) can be setup for entry events that meet specific conditions.

Company management or security personnel must adequately control the issuance and removal of employee, visitor and vendor identification badges.

WhosOnLocation supports a facility’s policies concerning the issuance of visitor, vendor and employee badges including alerts for those people still on-site or who have not signed out.

Procedures for the issuance, removal and changing of access devices (e.g. keys, key cards, etc.) must be documented.

WhosOnLocation’s Asset Management feature supports the recording of who was assigned what asset, be that a key or a card, and when it was returned.

Physical Access Controls | Visitors

Visitors must present photo identification for documentation purposes upon arrival.

.

When the visitor presents their photo ID, security guards, concierge, and reception teams can capture the relevant identification info required for entry. From late September 2018 facilities will be able to ‘scan’ the drivers license, adding a new layer of identify verification to the service to support C-TPAT.

All visitors should be escorted and visibly display temporary identification.

WhosOnLocation supports the issuance of visitor, employee, and vendor badges.

In addition Administrators can force a rule in their WhosOnLocation account that requires all employees receiving a visitor host notification to ‘authorize’ their visitor before they are issued with a Visitor Badge. We refer to this feature as Host Authorization.

The software if used correctly---i.e. requires valid photo ID be used to get visitor badge, and maintains historical record keeping we can access; allows us to meet and document meeting that portion of C-TPAT requirements for Visitor Security

Records are retained of all entries and departures from facilities. Audit records are available indefinitely. Report users can report by date range, name, organization, frequency of visit and more…

Physical Access Controls | Deliveries (including mail)

Proper vendor ID and/or photo identification must be presented for documentation purposes upon arrival by all vendors.

Vendor, or what we call ‘Service Provider Management’, is a core feature of all WhosOnLocation accounts and plans. Users can setup approved Vendor, supplier, contractor organizations and then setup those people that represent them. When setting up a vendor you can record the names of all approved personnel, including their contact details, qualifications, certifications, and photo.

On arrival security guards, concierge, and reception teams can demand proof of ID which is used to match against the approved record of the vendor.

Arriving packages and mail should be periodically screened before being disseminated.

Whilst WhosOnLocation does not ‘screen’ deliveries the arrival and receipt of Deliveries can be managed by security guards, concierge, and reception teams. Deliveries reports are available form the reporting tool.

Procedures must be in place to identify, challenge and address unauthorized / unidentified persons.

The watchlist feature within our Triggers Add-on allows you to automatically check visitors entered into the system against internally generated “lists" and alert nominated people of their presence.

The types of lists you can create are endless and are only as limited as your imagination. Some examples include: banned employees, banned visitors, sex-offender lists, terrorist screening lists, No-Fly lists (if you are an airport), VIP lists, Valued Customer Lists, etc. You can even download government watchlists if you have access to the raw files and upload them as a watchlist list in your WhosOnLocation account. Watchlist

Physical Security | Gates and Gate Houses

Gates through which vehicles and/or personnel enter or exit must be manned and/or monitored.

Automated systems must use individually assigned accounts that require a periodic change of password. IT security policies, procedures and standards must be in place and provided to employees in the form of training.

WhosOnLocation’s User Administration and User Access Policies provides support for the requirements and the compliance needs of publicly-traded companies by ensuring robust password authentication, and controlled system access to your WhosOnLocation account. You can learn more here:

Further help?

For further information and advice about this policy and any aspect of information security contact WhosOnLocation by email at trust@whosonlocation.com.